fix: honor LdapOptions.Enabled at runtime; dedupe ILdapAuthService registration; +SearchBase test, doc fix

Directory.Packages.props

@@ -103,5 +103,6 @@
     <PackageVersion Include="ZB.MOM.WW.Telemetry.Serilog" Version="0.1.0" />
     <PackageVersion Include="ZB.MOM.WW.MxGateway.Client" Version="0.1.0" />
     <PackageVersion Include="ZB.MOM.WW.MxGateway.Contracts" Version="0.1.0" />
+    <PackageVersion Include="ZB.MOM.WW.Configuration" Version="0.1.0" />
   </ItemGroup>
 </Project>

NuGet.config

@@ -18,6 +18,7 @@
       <package pattern="ZB.MOM.WW.Health.*" />
       <package pattern="ZB.MOM.WW.Telemetry" />
       <package pattern="ZB.MOM.WW.Telemetry.*" />
+      <package pattern="ZB.MOM.WW.Configuration" />
     </packageSource>
   </packageSourceMapping>
 </configuration>

src/Server/ZB.MOM.WW.OtOpcUa.Host/Configuration/LdapOptionsValidator.cs

@@ -0,0 +1,33 @@
+using ZB.MOM.WW.Configuration;
+using ZB.MOM.WW.OtOpcUa.Security.Ldap;
+
+namespace ZB.MOM.WW.OtOpcUa.Host.Configuration;
+
+/// <summary>
+///     Fail-fast startup validator for <see cref="LdapOptions"/>, built on the shared
+///     <c>ZB.MOM.WW.Configuration</c> <see cref="OptionsValidatorBase{TOptions}"/>. When LDAP login
+///     is enabled, <c>Server</c> and <c>SearchBase</c> must be set and <c>Port</c> must be a valid
+///     TCP port; when disabled — or when <c>DevStubMode</c> bypasses the real bind — all checks are
+///     skipped. <c>ServiceAccountDn</c>/<c>Password</c> are
+///     intentionally not required — an empty pair selects the direct-bind path (see
+///     <see cref="LdapOptions.ServiceAccountDn"/>). Failure messages use <c>"Ldap:"</c> as a
+///     human-readable field prefix — not the literal bound section path, which is
+///     <c>Security:Ldap</c> (see <see cref="LdapOptions.SectionName"/>).
+/// </summary>
+public sealed class LdapOptionsValidator : OptionsValidatorBase<LdapOptions>
+{
+    /// <inheritdoc />
+    protected override void Validate(ValidationBuilder builder, LdapOptions options)
+    {
+        // Skip the real-LDAP field checks when LDAP login is disabled, or when the dev stub is
+        // active — DevStubMode bypasses the real bind entirely, so Server/SearchBase/Port are
+        // irrelevant and would otherwise force dev configs to carry meaningless placeholders.
+        if (!options.Enabled || options.DevStubMode) return;
+
+        builder.RequireThat(!string.IsNullOrWhiteSpace(options.Server),
+            "Ldap:Server is required when LDAP login is enabled.");
+        builder.RequireThat(!string.IsNullOrWhiteSpace(options.SearchBase),
+            "Ldap:SearchBase is required when LDAP login is enabled.");
+        builder.Port(options.Port, "Ldap:Port");
+    }
+}

src/Server/ZB.MOM.WW.OtOpcUa.Host/Configuration/OpcUaApplicationHostOptionsValidator.cs

@@ -0,0 +1,33 @@
+using ZB.MOM.WW.Configuration;
+using ZB.MOM.WW.OtOpcUa.OpcUaServer;
+
+namespace ZB.MOM.WW.OtOpcUa.Host.Configuration;
+
+/// <summary>
+///     Fail-fast startup validator for <see cref="OpcUaApplicationHostOptions"/>, built on the
+///     shared <c>ZB.MOM.WW.Configuration</c> <see cref="OptionsValidatorBase{TOptions}"/>. The C#
+///     defaults are all valid, so a host with no explicit <c>"OpcUa"</c> section passes untouched;
+///     the validator exists to reject explicit prod/env overrides before the OPC UA SDK boots.
+///     Identity/transport essentials (<c>ApplicationName</c>, <c>ApplicationUri</c>,
+///     <c>PublicHostname</c>, <c>PkiStoreRoot</c>, <c>OpcUaPort</c>) must be present/valid and at
+///     least one security profile must be enabled. Optional fields — <c>ApplicationConfigPath</c>,
+///     <c>PeerApplicationUris</c>, <c>AutoAcceptUntrustedClientCertificates</c>, and
+///     <c>ProductUri</c> — are intentionally not validated. Failure messages carry the real
+///     <c>"OpcUa:"</c> section prefix matching the bound configuration section.
+/// </summary>
+public sealed class OpcUaApplicationHostOptionsValidator : OptionsValidatorBase<OpcUaApplicationHostOptions>
+{
+    /// <inheritdoc />
+    protected override void Validate(ValidationBuilder builder, OpcUaApplicationHostOptions o)
+    {
+        builder.Required(o.ApplicationName, "OpcUa:ApplicationName");
+        builder.Required(o.ApplicationUri, "OpcUa:ApplicationUri");
+        builder.Required(o.PublicHostname, "OpcUa:PublicHostname");
+        builder.Required(o.PkiStoreRoot, "OpcUa:PkiStoreRoot");
+        builder.Port(o.OpcUaPort, "OpcUa:OpcUaPort");
+        // EnabledSecurityProfiles is declared as IList<T> — that interface does not derive from
+        // IReadOnlyCollection<T>, so it can't bind to MinCount's IReadOnlyCollection<T> parameter
+        // directly. ToList() bridges to the shared primitive while preserving the count (and message).
+        builder.MinCount(o.EnabledSecurityProfiles?.ToList(), 1, "OpcUa:EnabledSecurityProfiles");
+    }
+}

src/Server/ZB.MOM.WW.OtOpcUa.Host/OpcUa/OtOpcUaServerHostedService.cs

@@ -1,6 +1,6 @@
-using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using ZB.MOM.WW.OtOpcUa.Commons.OpcUa;
 using ZB.MOM.WW.OtOpcUa.OpcUaServer;
 using ZB.MOM.WW.OtOpcUa.OpcUaServer.Security;
@@ -20,7 +20,7 @@ namespace ZB.MOM.WW.OtOpcUa.Host.OpcUa;
 /// </summary>
 public sealed class OtOpcUaServerHostedService : IHostedService, IAsyncDisposable
 {
-    private readonly IConfiguration _configuration;
+    private readonly OpcUaApplicationHostOptions _options;
     private readonly DeferredAddressSpaceSink _deferredSink;
     private readonly DeferredServiceLevelPublisher _deferredServiceLevel;
     private readonly IOpcUaUserAuthenticator _userAuthenticator;
@@ -33,19 +33,19 @@ public sealed class OtOpcUaServerHostedService : IHostedService, IAsyncDisposabl
     /// <summary>
     /// Initializes a new instance of the OtOpcUaServerHostedService class.
     /// </summary>
-    /// <param name="configuration">The application configuration.</param>
+    /// <param name="options">The validated OPC UA host options (bound from the <c>OpcUa</c> section and validated at startup via <c>ValidateOnStart</c>).</param>
     /// <param name="deferredSink">The deferred address space sink that receives the real sink once the server is ready.</param>
     /// <param name="deferredServiceLevel">The deferred service level publisher that receives the real publisher once the server is ready.</param>
     /// <param name="userAuthenticator">The OPC UA user authenticator.</param>
     /// <param name="loggerFactory">The logger factory for creating loggers.</param>
     public OtOpcUaServerHostedService(
-        IConfiguration configuration,
+        IOptions<OpcUaApplicationHostOptions> options,
         DeferredAddressSpaceSink deferredSink,
         DeferredServiceLevelPublisher deferredServiceLevel,
         IOpcUaUserAuthenticator userAuthenticator,
         ILoggerFactory loggerFactory)
     {
-        _configuration = configuration;
+        _options = options.Value;
         _deferredSink = deferredSink;
         _deferredServiceLevel = deferredServiceLevel;
         _userAuthenticator = userAuthenticator;
@@ -59,12 +59,9 @@ public sealed class OtOpcUaServerHostedService : IHostedService, IAsyncDisposabl
     /// <param name="cancellationToken">Cancellation token.</param>
     public async Task StartAsync(CancellationToken cancellationToken)
     {
-        var options = new OpcUaApplicationHostOptions();
-        _configuration.GetSection("OpcUa").Bind(options);
-
         _server = new OtOpcUaSdkServer();
         _appHost = new OpcUaApplicationHost(
-            options,
+            _options,
             _loggerFactory.CreateLogger<OpcUaApplicationHost>(),
             _userAuthenticator);
 

src/Server/ZB.MOM.WW.OtOpcUa.Host/Program.cs

@@ -1,4 +1,5 @@
 using Akka.Hosting;
+using Microsoft.Extensions.DependencyInjection.Extensions;
 using Serilog;
 using ZB.MOM.WW.OtOpcUa.AdminUI;
 using ZB.MOM.WW.OtOpcUa.AdminUI.Clients;
@@ -10,16 +11,19 @@ using ZB.MOM.WW.OtOpcUa.ControlPlane;
 using ZB.MOM.WW.OtOpcUa.Commons.OpcUa;
 using ZB.MOM.WW.OtOpcUa.Commons.Engines;
 using ZB.MOM.WW.OtOpcUa.Host;
+using ZB.MOM.WW.OtOpcUa.Host.Configuration;
 using ZB.MOM.WW.OtOpcUa.Host.Drivers;
 using ZB.MOM.WW.OtOpcUa.Host.Engines;
 using ZB.MOM.WW.OtOpcUa.Host.Health;
 using ZB.MOM.WW.OtOpcUa.Host.Observability;
 using ZB.MOM.WW.OtOpcUa.Host.OpcUa;
+using ZB.MOM.WW.OtOpcUa.OpcUaServer;
 using ZB.MOM.WW.OtOpcUa.OpcUaServer.Security;
 using ZB.MOM.WW.OtOpcUa.Runtime;
 using ZB.MOM.WW.OtOpcUa.Security;
 using ZB.MOM.WW.OtOpcUa.Security.Endpoints;
 using ZB.MOM.WW.OtOpcUa.Security.Ldap;
+using ZB.MOM.WW.Configuration;
 using ZB.MOM.WW.Telemetry.Serilog;
 
 // Roles drive the entire conditional wiring below — see ZB.MOM.WW.OtOpcUa.Cluster.RoleParser.
@@ -96,10 +100,18 @@ if (hasDriver)
         new RoslynScriptedAlarmEvaluator(sp.GetRequiredService<ILoggerFactory>().CreateLogger<RoslynScriptedAlarmEvaluator>()));
     builder.Services.AddSingleton<IScriptedAlarmEvaluator>(sp => sp.GetRequiredService<RoslynScriptedAlarmEvaluator>());
 
-    builder.Services.AddOptions<LdapOptions>().Bind(builder.Configuration.GetSection("Ldap"));
-    builder.Services.AddSingleton<ILdapAuthService, LdapAuthService>();
+    builder.Services.AddValidatedOptions<LdapOptions, LdapOptionsValidator>(builder.Configuration, LdapOptions.SectionName);
+    // TryAdd so a fused admin+driver node (where AddOtOpcUaAuth also registers this) ends up
+    // with exactly one descriptor; on a driver-only node this is the sole registration.
+    builder.Services.TryAddSingleton<ILdapAuthService, LdapAuthService>();
     builder.Services.AddSingleton<IOpcUaUserAuthenticator, LdapOpcUaUserAuthenticator>();
 
+    // Bind + validate the OPC UA host options the same way (fail-fast at start via ValidateOnStart)
+    // and let OtOpcUaServerHostedService consume the validated IOptions instance rather than
+    // re-binding the section imperatively. Defaults pass; this guards explicit prod/env overrides.
+    builder.Services.AddValidatedOptions<OpcUaApplicationHostOptions, OpcUaApplicationHostOptionsValidator>(
+        builder.Configuration, "OpcUa");
+
     builder.Services.AddHostedService<OtOpcUaServerHostedService>();
 }
 

src/Server/ZB.MOM.WW.OtOpcUa.Host/ZB.MOM.WW.OtOpcUa.Host.csproj

@@ -32,6 +32,7 @@
         <PackageReference Include="ZB.MOM.WW.Health.EntityFrameworkCore" />
         <PackageReference Include="ZB.MOM.WW.Telemetry" />
         <PackageReference Include="ZB.MOM.WW.Telemetry.Serilog" />
+        <PackageReference Include="ZB.MOM.WW.Configuration" />
     </ItemGroup>
 
     <ItemGroup>

src/Server/ZB.MOM.WW.OtOpcUa.Security/Ldap/LdapAuthService.cs

@@ -21,6 +21,11 @@ public sealed class LdapAuthService(IOptions<LdapOptions> options, ILogger<LdapA
     /// <param name="ct">A cancellation token to observe while waiting for the operation to complete.</param>
     public async Task<LdapAuthResult> AuthenticateAsync(string username, string password, CancellationToken ct = default)
     {
+        // Enabled is the master switch and wins over DevStubMode — when LDAP auth is turned off,
+        // refuse to authenticate at all (no bind, no dev-stub bypass).
+        if (!_options.Enabled)
+            return new(false, null, null, [], [], "LDAP authentication is disabled.");
+
         if (string.IsNullOrWhiteSpace(username))
             return new(false, null, null, [], [], "Username is required");
         if (string.IsNullOrWhiteSpace(password))

src/Server/ZB.MOM.WW.OtOpcUa.Security/Ldap/LdapOptions.cs

@@ -2,12 +2,12 @@ namespace ZB.MOM.WW.OtOpcUa.Security.Ldap;
 
 /// <summary>
 ///     LDAP + role-mapping configuration for the Admin UI. Bound from <c>appsettings.json</c>
-///     <c>Authentication:Ldap</c> section. Defaults point at the local GLAuth dev instance (see
+///     <c>Security:Ldap</c> section. Defaults point at the local GLAuth dev instance (see
 ///     <c>C:\publish\glauth\auth.md</c>).
 /// </summary>
 public sealed class LdapOptions
 {
-    public const string SectionName = "Authentication:Ldap";
+    public const string SectionName = "Security:Ldap";
 
     /// <summary>Gets or sets a value indicating whether LDAP authentication is enabled.</summary>
     public bool Enabled { get; set; } = true;

src/Server/ZB.MOM.WW.OtOpcUa.Security/ServiceCollectionExtensions.cs

@@ -4,6 +4,7 @@ using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using ZB.MOM.WW.OtOpcUa.Configuration;
@@ -36,7 +37,9 @@ public static class ServiceCollectionExtensions
         services.AddSingleton<JwtTokenService>();
         // Singleton — LdapAuthService is stateless (creates an LdapConnection per call) and
         // must be consumable by the Singleton LdapOpcUaUserAuthenticator on driver-role nodes.
-        services.AddSingleton<ILdapAuthService, LdapAuthService>();
+        // TryAdd so a fused admin+driver node (which also registers it in Program.cs for the
+        // driver path) ends up with exactly one descriptor regardless of registration order.
+        services.TryAddSingleton<ILdapAuthService, LdapAuthService>();
 
         services.AddDataProtection()
             .PersistKeysToDbContext<OtOpcUaConfigDbContext>()

tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/LdapOptionsBindingTests.cs

@@ -0,0 +1,62 @@
+using Microsoft.Extensions.Configuration;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Security.Ldap;
+
+namespace ZB.MOM.WW.OtOpcUa.Host.IntegrationTests;
+
+/// <summary>
+/// Regression guard for the LDAP config-section fix. The real config (admin/driver/Development
+/// overlays) lives under <c>Security:Ldap</c>, and <see cref="LdapOptions.SectionName"/> must point
+/// there so the configured <c>DevStubMode</c> actually binds. Previously the binders used the
+/// nonexistent <c>"Ldap"</c>/<c>"Authentication:Ldap"</c> sections, so the dev stub never activated.
+/// </summary>
+public sealed class LdapOptionsBindingTests
+{
+    /// <summary><see cref="LdapOptions.SectionName"/> resolves to the real overlay section.</summary>
+    [Fact]
+    public void SectionName_is_Security_Ldap()
+    {
+        LdapOptions.SectionName.ShouldBe("Security:Ldap");
+    }
+
+    /// <summary>
+    /// Binding from <see cref="LdapOptions.SectionName"/> reads the configured <c>DevStubMode</c>
+    /// from the real <c>Security:Ldap</c> section — proving the dev stub now takes effect.
+    /// </summary>
+    [Fact]
+    public void Binding_from_SectionName_reads_Security_Ldap_DevStubMode()
+    {
+        var configuration = new ConfigurationBuilder()
+            .AddInMemoryCollection(new Dictionary<string, string?>
+            {
+                ["Security:Ldap:DevStubMode"] = "true",
+            })
+            .Build();
+
+        var options = configuration.GetSection(LdapOptions.SectionName).Get<LdapOptions>();
+
+        options.ShouldNotBeNull();
+        options.DevStubMode.ShouldBeTrue();
+    }
+
+    /// <summary>
+    /// Negative control: binding from the old (nonexistent) <c>"Ldap"</c> section against the same
+    /// <c>Security:Ldap</c> config does NOT pick up <c>DevStubMode</c> — it falls back to the C#
+    /// default (false). This is the pre-fix behaviour the change corrects.
+    /// </summary>
+    [Fact]
+    public void Binding_from_old_Ldap_section_does_not_read_DevStubMode()
+    {
+        var configuration = new ConfigurationBuilder()
+            .AddInMemoryCollection(new Dictionary<string, string?>
+            {
+                ["Security:Ldap:DevStubMode"] = "true",
+            })
+            .Build();
+
+        var options = configuration.GetSection("Ldap").Get<LdapOptions>() ?? new LdapOptions();
+
+        options.DevStubMode.ShouldBeFalse();
+    }
+}

tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/LdapOptionsValidatorTests.cs

@@ -0,0 +1,121 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Host.Configuration;
+using ZB.MOM.WW.OtOpcUa.Security.Ldap;
+
+namespace ZB.MOM.WW.OtOpcUa.Host.IntegrationTests;
+
+/// <summary>
+/// Task 3 — verifies the net-new <see cref="LdapOptionsValidator"/> (built on the shared
+/// <c>ZB.MOM.WW.Configuration</c> <c>OptionsValidatorBase</c>/<c>ValidationBuilder</c>) gates on
+/// <see cref="LdapOptions.Enabled"/>, and that when enabled it requires <c>Server</c>,
+/// <c>SearchBase</c>, and a valid <c>Port</c>. Failure messages carry the real <c>"Ldap:"</c>
+/// section prefix so they read correctly when surfaced at host startup.
+/// </summary>
+public sealed class LdapOptionsValidatorTests
+{
+    private static readonly LdapOptionsValidator Sut = new();
+
+    /// <summary>Valid enabled options pass validation.</summary>
+    [Fact]
+    public void Valid_enabled_options_succeed()
+    {
+        var options = new LdapOptions
+        {
+            Enabled = true,
+            Server = "ldap",
+            SearchBase = "dc=x",
+            Port = 389,
+        };
+
+        Sut.Validate(null, options).Succeeded.ShouldBeTrue();
+    }
+
+    /// <summary>When LDAP is disabled all checks are skipped, so a blank config still passes.</summary>
+    [Fact]
+    public void Disabled_options_succeed_even_when_blank()
+    {
+        var options = new LdapOptions
+        {
+            Enabled = false,
+            Server = string.Empty,
+            SearchBase = string.Empty,
+            Port = 0,
+        };
+
+        Sut.Validate(null, options).Succeeded.ShouldBeTrue();
+    }
+
+    /// <summary>
+    /// When the dev stub is active the real LDAP fields are irrelevant (the bind is bypassed), so
+    /// the gate skips the Server/SearchBase/Port checks even though LDAP is nominally enabled.
+    /// </summary>
+    [Fact]
+    public void DevStubMode_options_succeed_even_when_server_blank()
+    {
+        var options = new LdapOptions
+        {
+            Enabled = true,
+            DevStubMode = true,
+            Server = string.Empty,
+            SearchBase = string.Empty,
+            Port = 0,
+        };
+
+        Sut.Validate(null, options).Succeeded.ShouldBeTrue();
+    }
+
+    /// <summary>Enabled with a blank server reports the required-server failure.</summary>
+    [Fact]
+    public void Enabled_with_blank_server_fails()
+    {
+        var options = new LdapOptions
+        {
+            Enabled = true,
+            Server = string.Empty,
+            SearchBase = "dc=x",
+            Port = 389,
+        };
+
+        var result = Sut.Validate(null, options);
+
+        result.Failed.ShouldBeTrue();
+        result.Failures.ShouldContain("Ldap:Server is required when LDAP login is enabled.");
+    }
+
+    /// <summary>Enabled with a blank search base reports the required-search-base failure.</summary>
+    [Fact]
+    public void Enabled_with_blank_search_base_fails()
+    {
+        var options = new LdapOptions
+        {
+            Enabled = true,
+            Server = "ldap",
+            SearchBase = string.Empty,
+            Port = 389,
+        };
+
+        var result = Sut.Validate(null, options);
+
+        result.Failed.ShouldBeTrue();
+        result.Failures.ShouldContain("Ldap:SearchBase is required when LDAP login is enabled.");
+    }
+
+    /// <summary>Enabled with port 0 reports the port-range failure using the shared primitive wording.</summary>
+    [Fact]
+    public void Enabled_with_zero_port_fails()
+    {
+        var options = new LdapOptions
+        {
+            Enabled = true,
+            Server = "ldap",
+            SearchBase = "dc=x",
+            Port = 0,
+        };
+
+        var result = Sut.Validate(null, options);
+
+        result.Failed.ShouldBeTrue();
+        result.Failures.ShouldContain("Ldap:Port must be between 1 and 65535 (was 0)");
+    }
+}

tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/OpcUaApplicationHostOptionsValidatorTests.cs

@@ -0,0 +1,59 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Host.Configuration;
+using ZB.MOM.WW.OtOpcUa.OpcUaServer;
+
+namespace ZB.MOM.WW.OtOpcUa.Host.IntegrationTests;
+
+/// <summary>
+/// Task 4 — verifies the net-new <see cref="OpcUaApplicationHostOptionsValidator"/> (built on the
+/// shared <c>ZB.MOM.WW.Configuration</c> <c>OptionsValidatorBase</c>/<c>ValidationBuilder</c>) that
+/// gates the OPC UA host options at startup. The C# defaults are all valid so a host with no
+/// explicit <c>"OpcUa"</c> section still passes; the validator exists to reject explicit
+/// prod/env overrides. Failure messages carry the real <c>"OpcUa:"</c> section prefix and the
+/// exact shared-primitive wording so they read correctly when surfaced via <c>ValidateOnStart</c>.
+/// </summary>
+public sealed class OpcUaApplicationHostOptionsValidatorTests
+{
+    private static readonly OpcUaApplicationHostOptionsValidator Sut = new();
+
+    /// <summary>The C# defaults (the as-bound shape when the section is absent) pass validation.</summary>
+    [Fact]
+    public void Default_options_succeed()
+    {
+        Sut.Validate(null, new OpcUaApplicationHostOptions()).Succeeded.ShouldBeTrue();
+    }
+
+    /// <summary>A port of 0 reports the shared port-range failure with the OpcUa prefix.</summary>
+    [Fact]
+    public void Zero_port_fails()
+    {
+        var result = Sut.Validate(null, new OpcUaApplicationHostOptions { OpcUaPort = 0 });
+
+        result.Failed.ShouldBeTrue();
+        result.Failures.ShouldContain("OpcUa:OpcUaPort must be between 1 and 65535 (was 0)");
+    }
+
+    /// <summary>A blank public hostname reports the shared required failure with the OpcUa prefix.</summary>
+    [Fact]
+    public void Blank_public_hostname_fails()
+    {
+        var result = Sut.Validate(null, new OpcUaApplicationHostOptions { PublicHostname = "" });
+
+        result.Failed.ShouldBeTrue();
+        result.Failures.ShouldContain("OpcUa:PublicHostname is required");
+    }
+
+    /// <summary>An empty security-profile list reports the shared min-count failure with the OpcUa prefix.</summary>
+    [Fact]
+    public void Empty_security_profiles_fails()
+    {
+        var result = Sut.Validate(null, new OpcUaApplicationHostOptions
+        {
+            EnabledSecurityProfiles = new List<OpcUaSecurityProfile>(),
+        });
+
+        result.Failed.ShouldBeTrue();
+        result.Failures.ShouldContain("OpcUa:EnabledSecurityProfiles must contain at least 1 item(s) (had 0)");
+    }
+}